Data Processing Agreement

Event Organizer / Self-Service Events

 

Last updated: 20 April 2021

1. Introduction

1.1 By accessing our Site at https://doors.live/ (the “Site”) and using the “Self-Service Events” function on the Site (together with the Site, herein referred to as the “Services”) provided by Live Doors AB or any of our subsidiaries, affiliates, or group companies (“Doors”, or “we”/ “us”/ “our”), you are acting as an “Event Organizer” and agree to the legally binding rules described here (the “Principal Agreement”).

1.2 When we provide the Services, including when we sell Tickets and make your Self-Service Events available on the Site, we collect and process personal data of the Attendees (“Attendee Personal Data”). Our processing of Attendee Personal Data is conducted in accordance with our general Privacy Policy.

1.3 In connection with your arrangement of Self-Service Events, and for the purpose of marketing and promoting the artist to Attendees, you may decide to collect and process Attendee Personal Data necessary for these purposes. You shall be responsible for your collection and processing of such Attendee Personal Data under applicable laws.

1.4 If you are deemed to process personal data on behalf of Doors, you agree that this data processing agreement (the “Processing Agreement”) shall apply between you and Doors. You are hereinafter referred to as the “Processor” and Doors as the “Controller”. The Processor and the Controller are together referred to as the “Parties”, and each a “Party”.

1.5 The terms used in this Processing Agreement (such as “personal data” and “processing”), regardless of what word form they appear in, are defined as set out in the applicable privacy legislation and regulations. Any capitalized terms used herein shall have the meaning described in the Principal Agreement, unless otherwise stated in the Processing Agreement.

 

2. Purposes of data processing

2.1 The Processor commits to process personal data on the documented instructions of the Controller under the conditions of this Processing Agreement.

The processing will take place exclusively in the context of the Principal Agreement and the performance of the services agreed on therein for the Controller, and only for the following purpose:

∙ The Processor’s direct marketing purposes, provided that the Processor’s direct marketing is centered around the artists included in the Processor’s Self-Service Events and used not for general promotion of the Processor’s business.

2.3 The personal data processed by the Processor in the context of the Principal Agreement are only the following types of Attendee Personal Data:

∙ Name;

∙ Email address; and

∙ Country.

2.4 The Processor will not process personal data for any purpose other than that determined by the Controller. The Controller will inform the Processor of the processing purposes to the extent these are not already cited in this Processing Agreement.

2.5 The Processor will not make any independent decisions on the processing of personal data. The Parties confirm that, as between Controller and Processor, Controller holds authority over personal data provided to the Processor in the context of this Processing Agreement.

2.6 Any and all rights (including, without limitation, proprietary rights) to the personal data that the Processor processes for the Controller remains with the Controller and/or the particular data subjects.

2.7 Processor will not delete or destroy any of Controller’s personal data or media on which such personal data resides without Controller’s prior approval, subject to the requirements of this Processing Agreement. In the event any of Controller’s personal data in Processor’s possession is lost or destroyed due to a breach of the Security Measures (as defined below) or specifically designated security procedures, Processor will be responsible for providing its reasonable efforts to assist with the prompt regeneration or replacement of such data.

 

3. Processor's obligations

3.1 The Processor ensures continuous compliance with the applicable privacy legislation and regulations, such as the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”).

3.2 The Processor shall, immediately upon request from the Controller, inform the Controller about the measures it has taken concerning its obligations under this Processing Agreement.

3.3 The obligations arising for the Processor from this Processing Agreement shall apply to any and all persons or entities processing personal data under the authority of the Processor, which include but are not limited to employees and workers engaged by the Processor.

 

4. Transfer of personal data

4.1 The Processor is hereby permitted to process personal data within the European Union. The processing of personal data outside the European Union is permitted, subject to the Controller’s approval, with due observance of the statutory provisions which apply for this. Immediately at the Controller’s request, the Processor will inform the Controller in which country or countries personal data is processed.

4.2 If the Processor intends to engage third parties for the processing of personal data, the Processor will inform the Controller of this in advance and in writing and obtain the Processor’s prior approval. Without such written approval the Processor shall not engage third parties for the processing of Controller’s personal data.

4.3 The Processor shall continuously ensure that third parties engaged as sub-processors of personal data accept in writing the same obligations as have been agreed between the Controller and the Processor. In the event a sub-processor fails to fulfil its data protection and processing obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations.

 

5. Additional documentation

5.1 The Processor will enter into additional agreements and documents (such as the standard contractual clauses published by the relevant data protection authorities) as may be necessary to ensure the lawful processing of personal data under this Processing Agreement and to ensure the receipt of all necessary approvals for such processing from appropriate regulatory authorities and will cooperate with the Controller in order to obtain such approvals as soon as reasonably possible.

5.2 If the Controller is required by law to conduct a data protection-related impact assessment or consult with an applicable regulatory authority, the Processor will cooperate with the Controller to the extent necessary for the Controller to perform its obligations, such as by providing requested information to the Controller.

5.3 Upon request, the Processor will provide information to the Controller to demonstrate compliance with this Processing Agreement.

 

6. Distribution of responsibilities

6.1 For the purposes of the processing operations under this Processing Agreement, the Processor will make relevant IT-resources and documentation available for the Controller to ascertain the Processor’s compliance with relevant legislation and this Processing Agreement.

6.2 The Processor is solely responsible for processing of personal data under this Processing Agreement in accordance with the instructions from the Controller. The Processor is not responsible for other processing operations performed on the personal data, which in any event include but are not limited to the Controller’s: (i) collection of the personal data; (ii) processing operations by the Controller for purposes that the Controller has not reported to the Processor; (iii) processing operations by third parties that the Controller has engaged.

 

7. Security measures

7.1 The Processor shall take all appropriate technical and organizational measures necessary in relation to the processing of personal data to be performed to protect against loss or any form of unlawful processing (such as – but not limited to – unauthorized access, tampering, alteration of personal data) to maintain and ensure a high level of security for the personal data which is appropriate to the risks.

7.2 Such technical and organizational measures, referenced in section 7.1, will include reasonable administrative, physical, and technical security controls (including those required by applicable data privacy legislation) that prevent the collection, use, disclosure, or access to the Controller’s personal data and the Controller’s confidential information, including maintaining a comprehensive information security program that safeguards the Controller’s personal data and confidential information (hereinafter “Security Measures”). Such Security Measures will include: (a) strict logical or physical separation between (i) the Controller’s personal data and the Controller’s confidential information and (ii) the Processor’s own data and data of other customers of the Processor; (b) maintaining industry standard perimeter protection for the Processor’s network and devices connected thereto (hereinafter “Processor’s System”); (c) applying, as soon as practicable, patches or other controls to the Processor’s System that effectively address actual or potential security vulnerabilities; (d) employing commercially reasonable efforts to ensure that the Processor’s System remains free of security vulnerabilities, viruses, malware, and other harmful code; (e) employing commercially reasonable efforts to practice safe coding standard and practices which address application security vulnerabilities; (f) providing appropriate education and training to the Processor’s employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations; (g) accessing or transferring the Controller’s personal data or confidential information to or from the Controller’s systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by the Controller in advance in writing; and (h) limiting the Processor’s employee/agent/subcontractor access to the Processor’s network, systems, devices and facilities to those with a need for such access, and whose access privileges is revoked promptly upon their termination.

7.3 The Processor will provide to the Controller an individual point of contact for security purposes and will update this information from time to time as necessary.

7.4 The Processor shall, upon the Controller’s request, specify the above-described Security Measures applied by the Processor.

 

8. Notification requirement

8.1 The Processor has and will maintain a security incident response plan that includes procedures to be followed in the event of unauthorized access, acquisition, or loss of personal data or confidential information.

8.2 In the event of a security incident, such as (but not limited to) a data leak and/or breach (defined as a breach of security as referred to in article 33 of the General Data Protection Regulation) (hereinafter “Security Incident”), impacting the Processor and/or the Processor’s affiliate(s) and/or its sub-processors, the Processor will inform the Controller about this immediately in writing, in any event no later than within 36 hours after discovering the Security Incident, following which the Controller will assess whether or not to inform the data subject(s) and/or the relevant supervisory authorities.

8.3 In the event of a Security Incident, at its own cost and expense, the Processor will perform an evaluation and develop plans to contain the Security Incident and prevent its recurrence.

8.4 Upon the Controller's request, the Processor will cooperate with the Controller in the informing of data subject(s) and/or the relevant supervisory authorities of the Security Incident.

8.5 In addition to reporting the fact that a Security Incident has occurred, the Processor’s notification to the Controller must also contain:

∙ the date on which the Security Incident occurred (if the exact date is not known: the period of time within which the Security Incident occurred);

∙ the (presumed) cause of the Security Incident and its effect (to the extent known at this point and/or to be expected);

∙ the number of people whose data were subject to the Security Incident (if an exact number is not known: the minimum and maximum number of people whose data were affected);

∙ a description of the group of people whose data were subject to the Security Incident, including the type or types of personal data that were breached/leaked;

∙ whether the data were encrypted, hashed or otherwise rendered incomprehensible or inaccessible to unauthorized users;

∙ the measures proposed and/or already taken to stop the leak and limit the effects of the Security Incident; and

∙ contact details for follow-up on the notification.

 

9. Handling of requests from data subjects

9.1 The Processor will cooperate with the Controller in order to ensure that any person who is the subject of data processing under this Processing Agreement has the opportunity to exercise their legal rights with respect to personal data concerning that person.

9.2 If a data subject directs a request for inspection, correction, supplementation, amendment or blocking of his/her personal data to the Processor or otherwise makes use of the rights accorded to data subjects under applicable privacy legislation, the Processor will forward the request to the Controller and the Controller will handle the request from that point. The Processor may inform the data subject of such hand-over.

9.3 If a data subject directs a request for inspection, correction, supplementation, amendment or blocking of his/her personal data to the Controller, the Processor will, if the Controller so desires, cooperate with this to the extent possible and reasonable.

 

10. Confidentiality

10.1 A duty of confidentiality applies to all personal data that the Processor receives from the Controller and/or collects itself in the context of this Processing Agreement. The Processor will not use these data for a purpose other than that for which it has received the data, not even if these data are put in a form such that they cannot be traced back to the data subjects.

10.2 The Processor will not disclose personal data to third parties except for legally required disclosures to law enforcement authorities (of which the Controller will be given prompt notice except where prohibited by law), or to the Processor’s sub-processors as necessary to perform the services pursuant to the Principal Agreement. The Processor will only make disclosures to sub-processors (including the Processor’s affiliates acting as sub-processors) if: (a) the Processor meets sub-processor, onward transfer, and any other applicable requirements under applicable data privacy legislation, (b) upon the Controller’s request, the Processor specifies the process by which it meets the requirements under [a] (including, the use of BCRs, standard contractual clauses, or another legally permissible method), (c) the contract between the Processor and sub-processor requires the sub-processor to comply with data protection requirements equivalent to those in this Processing Agreement, (d) the Processor is liable for any acts or omissions of the sub-processor, and (e) identifies in writing and communicates its sub-processors and the country in which they are located in writing to the Controller (email acceptable), including prior to appointing a new sub-processor, for the Controller’s approval.

 

11. Audit

11.1 The Processor will regularly conduct tests and self-audit(s) in order to ensure and control its continued compliance with the terms of this Processing Agreement.

11.2 The Controller has the right, once (1) each calendar year, to conduct audits carried out by an independent third party which is bound by confidentiality in order to monitor the Processor’s compliance with this Processing Agreement. The Controller will inform the Processor about the proposed audit at least two weeks in advance.

11.3 The Processor shall cooperate with each audit and auditor and provide all information that is reasonably relevant for the audit, including supporting data, such as system logs, and make employees available in as timely a fashion as possible (but in any event within two weeks).

11.4 The Processor will assist the Controller with performing a Data Protection Impact Assessment (DPIA), as this is descried in the GDPR.

11.5 If the Controller provides the Processor with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), the Processor will remediate the deficiency within a mutually agreed upon timeframe.

11.6 The costs of the audit, including any internal costs on the part of the Processor, will be paid for by the Controller unless the audit reveals misconduct and/or non-compliance on the part of the Processor with respect to its obligations and duties hereunder (in which case the Processor shall pay the audit costs).

 

12. Term and termination

12.1 This Processing Agreement shall be in full and effect from the date on which the Processor is deemed to process personal data on behalf of the Controller.

12.2 This Processing Agreement is entered into for an indefinite time-period. Termination of the Services as described in the Principal Agreement causes this Processing Agreement to end at the same moment.

12.3 As soon as this Processing Agreement has been terminated for any reason and in any manner whatsoever, the Processor will return to the Controller all personal data present at its organization and (if approved) its sub-processors’ organization, on request, in its original form or in the form of copies, and it will subsequently (solely if so instructed in writing by Controller) delete and/or destroy these and any copies thereof.

12.4 This Processing Agreement may be amended exclusively in writing with the permission of both Parties.

 

13. Miscellaneous

13.1 This Processing Agreement constitutes an integral part of the Principal Agreement. Provisions in the Principal Agreement, such as agreements concerning liability, therefore apply for the Processing Agreement.

13.2 This Processing Agreement and its performance are governed by the substantive laws of Sweden.

13.3 All disputes that arise between the Parties in connection with this Processing Agreement will be submitted to the District Court of Stockholm, Sweden.

13.4 Logs and measurements taken by the Processor or the Controller may serve as evidence in legal proceedings.

13.5 If one or more provisions of this Processing Agreement prove to be legally invalid or unenforceable, the remainder of this Processing Agreement will remain in force. In that case, the Parties will consult on the legally invalid or unenforceable provisions in order to arrive at an alternative arrangement which is indeed legally valid and enforceable and which is as consistent as possible with the meaning ang effect of the provision thus being replaced.

13.6 Solely with respect to provisions regarding processing of personal data, in the event of contradiction between different documents or the appendices to these, the following ranking applies:

∙ first, the Processing Agreement;

∙ second, the Principal Agreement;

∙ third, any additional terms and conditions of the Processor.

For the avoidance of doubt, any other provisions under the Principal Agreement not relating to processing of personal data shall prevail any language to the contrary contained in this Processing Agreement.

 

14. Contact details

Name: Live Doors AB
Registration no: 559261-6717
Address: Brahegatan 9, 3rd floor, SE-114 37 Stockholm, Sweden
Support email: [email protected]